BlackBerry’s Cylance acquisition raises eyebrows in the security community
Will acquisition compromise Cylance's anti-malware service in the name of law enforcement?
23 November 2018 | 0
BlackBerry, which has rebranded as a security company as its mobile handset business fades, purchased Cylance, the machine-learning based anti-malware company, for $1.4 billion dollars (€1.2 billion). The move is in line with BlackBerry’s public strategy to secure endpoint devices such as cars, medical devices, and critical infrastructure, but it raises eyebrows in the security community, given the company’s history with encryption backdoors.
The company plans to integrate Cylance’s anti-malware solution into the BlackBerry Spark platform, “which is at the centre of our strategy to ensure data flowing between endpoints (in a car, business, or smart city) is secured, private, and trusted,” BlackBerry wrote in a statement.
Deploying Cylance’s well-respected anti-malware service on IoT devices is potentially a big win for IoT security, but CEO John Chen’s stance on “lawful access” has put him and BlackBerry at odds with much of the security community — and that may concern organisations planning to use the Cylance/Spark product.
At the height of BlackBerry’s popularity as a handset manufacturer, the company is thought to have shared its global decryption key for consumer BlackBerry devices with the Canadian federal police, the RCMP. During the Apple v. FBI spat a couple years ago, when the FBI was clamoring for backdoored encryption, Chen was a vocal critic of Apple, and called for tech companies to cooperate with law enforcement. But in a blog post yesterday, Chen said that “BlackBerry’s products do not have backdoors,” while reiterating his stance that tech companies should “comply with reasonable lawful access requests.”
BlackBerry’s black eye
Court documents make clear that at least as early as 2010 the Canadian federal police had a copy of BlackBerry’s global decryption key, installed in every consumer device at the factory. Whoever possessed a copy of that key was able to decrypt text messages sent between BlackBerry’s consumer handsets. By designing a system with backdoored encryption, not only did BlackBerry make consumer handset users vulnerable to the RCMP for “lawful access”, but also vulnerable to any foreign spies, organised criminals, or terrorists who might have hacked the company (or the RCMP) and stolen a copy of that decryption key.
(BlackBerry denies giving its global decryption key to the Canadian police but offered no alternative explanation of how the key came into the RCMP’s possession.)
While leaving a global decryption key — AKA a “golden key” — under the doormat for malicious actors to discover and use to violate the confidentiality of user text messages is bad, a similar system deployed for the types of IoT devices that Cylance supports could have more serious consequences. Any cooperation with law enforcement that creates such a backdoor weakens security for everyone, experts told CSO.
Backdoors can be any method that provides access to encrypted information without the user’s consent. “Backdoors can be a public safety issue when present in remotely accessible, safety-critical systems,” Beau Woods, a Cyber Safety Innovation Fellow with the Atlantic Council in Washington, tells CSO. “Technical capabilities are policy agnostic — they cannot distinguish between what is permitted and forbidden by law.”
Woods added that there is a “persistent belief among security professionals that antivirus vendors whitelist (or at least don’t blacklist) law enforcement tools.” There is no evidence that Cylance has ever put backdoors in its malware detection solution, or whitelisted government malware. But with John Chen now in control of Cylance, it will be a question on everyone’s mind.
“Anyone that whitelists malware of any type runs the risk of weakening critical infrastructure for everyone, including governments and citizens. No malware should ever be whitelisted,” Harry Halpin, a security researcher at Inria, the French national institute for research in computer science and automation, and MIT, tells CSO. “The problem is malware can be just as dangerous as nuclear weapons in taking out infrastructure and should be treated accordingly.”
BlackBerry’s acquisition of Cylance worries Halpin, who adds, “A track record of cooperation by anyone points to possible future cooperation.”
Why lawful access is bad security
Any deliberately-created vulnerability, even those created for use by law enforcement, could easily be stolen. As the world’s leading cryptographers have concluded for years, this kind of “golden key” will inevitably be hacked by foreign powers like Russia, China and Israel.
Backdoored encryption has far more serious consequences in the IoT space. “In a world where cryptographic keys protect cars, cardiac devices, trains, and smart meters, losing those keys has grave implications,” Éireann Leverett, founder and CEO of Concinnity Risks, tells CSO. “Our safety literally depends on those keys.”
Deploying that kind of backdoor in medical devices could result in injury or death. Security expert Marie Moe, the research manager for the information security team at SINTEF in Norway, who has lived with a pacemaker since her early thirties, worries that encryption backdoors in medical devices would get stolen, either from the vendor or law enforcement, and then used for nefarious purposes. “I would not like to have a backdoor into my pacemaker,” Moe tells CSO.
The difficulty of knowing whether a major nation-state player has stolen a copy of an encryption backdoor, combined with the difficulty of updating hard-coded backdoors, makes such “lawful access” measures unworkable.
“If we have to reset our passwords every time our bank gets hacked,” Leverett asks, “how can companies still allow these hardcoded back doors, that they can’t reset?”
But that’s exactly what BlackBerry did.
What did BlackBerry do?
According to Motherboard, the Canadian federal police were able, at the height of BlackBerry’s popularity, to intercept and decrypt the text messages of any personal BlackBerry phone in the world, devices that are no longer available today. (BlackBerry’s current enterprise software products are not affected.) The global decryption key was loaded onto every handset during manufacturing. “With this one key, any and all messages sent between consumer BlackBerry phones can be decrypted and read,” Motherboard wrote.
Using this key, the Canadian federal police decrypted more than one million text messages over a two-year period. According to heavily redacted court documents obtained by VICE Canada, “the RCMP maintains a server in Ottawa that ‘simulates a mobile device that receives a message intended for [the rightful recipient.]'”
The judge in the case made it clear that “all parties” — including the government prosecutor — agreed that “the RCMP would have had the correct global key when it decrypted messages during its investigation. By resorting to the global key,” the judge said, “the RCMP was able to decrypt the intercepted messages.”
In a blog post, Chen defended the decision, writing, “Regarding BlackBerry’s assistance, I can reaffirm that we stood by our lawful access principles.” Chen reiterated that position yesterday in a blog post responding to this article.
BlackBerry provides “lawful access” globally
In addition to BlackBerry’s alleged cooperation with the Canadian police, BlackBerry also cooperated with law enforcement around the world. According to reporting by Canada’s CBC, “We [BlackBerry] were helping law enforcement kick ass,” a source at BlackBerry told CBC, who reported that “the company is swamped by requests that come directly from police in dozens of countries.”
US law prohibits American companies from intercepting user communications on behalf of foreign countries, the CBC reported, but as a Canadian company, BlackBerry operates under the looser regulations in place north of the border, a move criticised by a legal expert in the CBC report who viewed it as an end run around mutual legal assistance treaties (MLATs), the normal process for law enforcement to request assistance.
In a call announcing the Cylance acquisition, CSO asked Chen whether he would continue BlackBerry’s support for “lawful access” encryption backdoors as the new head of Cylance. Chen said, “We do support legal access. I believe every company should,” adding that “we all have a social responsibility to protect the safety of the government and the people.”
Backdoors in machine learning
A backdoor in machine learning would look very different from the encryption backdoor BlackBerry deployed in its consumer handsets. Researchers have demonstrated that machine learning can be backdoored, and how such backdoors might work.
“It’s possible they [BlackBerry] could add machine learning-specific backdoors of the style we proposed last year that makes it ignore their own state-sponsored malware,” Brendan Dolan-Gavitt, an assistant professor in the computer science and engineering department at New York University, tells CSO.
“We showed that when you’re training something like a deep learning system you can teach it to recognise specific triggers and then misclassify any inputs that have that trigger,” Dolan-Gavitt adds. “We haven’t looked at anti-malware systems specifically, but I think it would work.”
The FBI has been demanding tech companies create backdoors for 20 years to make it easier for law enforcement to do its job. Asking BlackBerry to whitelist law enforcement malware to gain access to a suspect’s IoT devices would yield an enormous amount of intimate information about that person. But that kind of “wiretapping” permits more than just eavesdropping — it enables attacks on data integrity and availability as well, attacks that malicious actors will inevitably engage in.
IDG News Service